<?php
session_start();

include "webmaster_connect.php";

//$page_permission = 2;

include "webmaster_check_login.php";

$webmaster_id = $_SESSION['webmasterid'];

//retrieve our data from POST
$current_pass = $_POST['current_pass'];
$new_pass = $_POST['new_pass'];

//Checks if password entered is the current password for the user
$query = "SELECT *
        FROM webmaster_users
        WHERE id = '$webmaster_id';";
$result = mysql_query($query);
		
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $current_pass) );
//$webmaster_id = $userData['id'];
//$webmaster_permission = $userData['permission'];

//If password doesnt match
if($hash != $userData['password']) 

{
	$_SESSION['change_password_message'] = "Password did not match";	
	header('Location: webmaster_change_password.php');
}

else //Password does match

{
	
	//Change the current password to the new password

$hash = hash('sha256', $new_pass);


//creates a 3 character sequence

function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);

//sanitize username

$username = mysql_real_escape_string($username);

mysql_query("UPDATE webmaster_users SET 

password = '$hash',
salt = '$salt'

WHERE id = $webmaster_id");

//Error checking
//echo "<b>Current password:</b>".$current_pass."<br />";
//echo "<b>New password:</b>".$new_pass."<br />";


header('Location: webmaster_account.php');

$_SESSION['change_password_message'] = "Password changed to: $new_pass";

}

?>